I don't think you need to add the certificate on the client side. I was able to POP my GMail account without having to do this. The only requirement is that the POP3 server has to have a signed certificate.

Err, I truly hope this is not the case (or I'm misunderstanding you or the other way around):

If I would not need the CA Certificate, then I could make a POP3 Server using a certificate which I could sign using a 'fake' verisign or trustcenter or what ever CA Cert. My connection would be encrypted etc., but then I should also allow self-signed and invalid (no longer valid for example) certificates as they feature the same amount of Man-in-the-middle protection ( = none).

For fetchmail (no zimbra needed) you need to download the Equifax CA Certificate, so I guess you have to place the CA Cert in Zimbra _somewhere_.

My question is... where? :-)

Update/Added:
The problem is described here. I get the "unable to find valid certification path to requested target" which for sounds like I need the CA Cert, but it does not have be that..